Remote Desktop Protocol (RDP) has been a key piece in an IT professional's arsenal since its original release with Windows NT 4.0. The ability to treat any system or task as a local one helps save time and reduce complexity when it comes to troubleshooting and problem solving.
Unfortunately, what was eagerly adopted as a productivity tool has also been widely recognized as one more potentially open door through which to deliver an attack. For obvious reasons, any program designed to allow for the remote takeover of a device is worthy of extra scrutiny from a security standpoint. In the wrong hands, RDPs can assist cybercriminals with deactivating a device's endpoint protection and spreading mayhem through a network or organization.
In reality, using a publically accessible RDP session to access a client's system creates huge vulnerabilities. Publicly available RDP sessions will be targeted. Just discovering such a session is as simple for cybercriminals as conducting an automated IP address port sweep. "It's a case of when, not if," says Webroot senior threat analyst Tyler Moffitt. "And once a cybercriminal gets into a system via an RDP, endpoint protection is effectively useless. The most successful way criminals will infect you with ransomware is through the unsecured RDP attack vector.”
A recent report on the state of bank security found that fully half of all banks have left remote access and control interfaces, including RDP, openly accessible from the internet. This is a shocking finding that describes how organizations that should be taking security the most seriously are shirking their responsibilities. The majority of MSPs would be ashamed to know such security vacuums exist, even for clients that are far less appealing targets.
Turning RDP into an attack vector
Most cyberattacks rely on lateral movement for their effectiveness. A malicious payload must hop from endpoint to endpoint before a system can fully be compromised and data stolen. When you add system access from a publicly accessible RDP to compromised or weak login credentials, such lateral movement across endpoints is easily accomplished.
To add to RDP’S security woes, its vulnerabilities can be exploited even when remote logons are not permitted. By using an elevated account with logon locally permissions, remote access to the windowssystem32 folder of a target endpoint can be leveraged to replace the Sticky Keys application (sethc.exe) with cmd.exe. Then an RDP session can be established even if the compromised account isn’t allowed to logon via RDP. Next, a key is repeatedly pressed, which invokes .exe instead of Sticky Keys, allowing the attacker elevated access to the command prompt on the target system. And this is only one of the techniques cybercriminals can use to weaponize RDP.
So how can you protect your clients, and your business, from RDP-enabled hacks?
There are four high-level options for making your environment, and the environments you manage, more secure:
- Consider limiting RDP access by changing the default port of TCP 3383 and use virtual networking/VLANs/etc. to limit access to critical systems via RDP can help. However, we suggest blocking all connections using RDP unless from a whitelisted IP range.
- Beef up logon security by using multi-factor authentication as a way of thwarting any use of a remote session. Additional solutions that monitor logon activity can provide IT heightened visibility into inappropriate and unusual logon attempts. Setting logout attempts is also an option, but in some cases this can result in workstations getting locked out and inaccessible.
- Secure endpoints first with solutions designed to detect network anomalies, like an RDP session attempt from another workstation (which is unlikely to happen normally) so it can be used to both respond (i.e. kill the session) and to notify IT of the attempt.
- Use a paid encrypted solution for endpoints with regular users and consider using a secure third-party remote session solution - such as VNC, TeamViewer, LogMeIn, ScreenConnect, etc. – to allow IT to continue to support its users with encrypted connections. Why? Well, when RDP came out, options were limited to pcAnywhere and a few other products for remote sessions. But now, more than 20 years on, there are plenty of alternative ways for remote access. For critical systems where elevated accounts are used, consider Privileged Session Management. These solutions not only provide their own remote desktop session, but also hide the account name and password used to access a system (keeping the elevated credentials protected as well).
RDP: Ready to Ditch the Protocol?
Security threats aren’t diminishing. In fact, they’re at an all-time high, and so many other (and, frankly better) remote desktop options are out there. MSPs must recognize the risk RDPs pose to their clients and their business. At a minimum, consider ways to better secure the access to and use of RDP. And, if you can, leverage today’s advanced technologies to go beyond basic remote sessions and take control of your – and your clients’ – security posture.
To learn more about Webroot and its suite of security solutions, click here.
Guest blog courtesy of Webroot. Read more Webroot blogs here.
